title: Process Creation Using Sysnative Folder
id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
status: test
description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
references:
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Max Altgelt (Nextron Systems)
date: 2022-08-23
modified: 2025-10-08
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains: ':\Windows\Sysnative\'
        - Image|contains: ':\Windows\Sysnative\'
    filter_main_ngen:
        Image|contains:
            - 'C:\Windows\Microsoft.NET\Framework64\v'
            - 'C:\Windows\Microsoft.NET\Framework\v'
            - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
            - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
        Image|endswith: '\ngen.exe'
        CommandLine|contains: 'install'
    filter_optional_xampp:
        CommandLine|contains|all:
            - '"C:\Windows\sysnative\cmd.exe"'
            - '\xampp\'
            - '\catalina_start.bat'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Process Launched Without Image Name
id: f208d6d8-d83a-4c2c-960d-877c37da84e5
status: test
description: Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
references:
    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\.exe'
    condition: selection
falsepositives:
    - Rare legitimate software.
level: medium

title: Process Monitor Driver Creation By Non-Sysinternals Binary
id: a05baa88-e922-4001-bc4d-8738135f27de
status: test
description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1068
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\procmon'
        TargetFilename|endswith: '.sys'
    filter_main_process_explorer:
        Image|endswith:
            - '\procmon.exe'
            - '\procmon64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some false positives may occur with legitimate renamed process monitor binaries
level: medium

title: Process Proxy Execution Via Squirrel.EXE
id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
related:
    - id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
      type: similar
    - id: fa4b21c9-0057-4493-b289-2556416ae4d7
      type: obsolete
status: test
description: |
    Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
    - http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
    - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2025-10-07
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\squirrel.exe'
            - '\update.exe'
    selection_exec:
        CommandLine|contains:
            - '--processStart'
            - '--processStartAndWait'
            - '--createShortcut'
    filter_optional_discord:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\Discord\Update.exe'
            - 'Discord.exe'
        CommandLine|contains:
            - '--createShortcut'
            - '--processStart'
    filter_optional_github_desktop:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\GitHubDesktop\Update.exe'
            - 'GitHubDesktop.exe'
        CommandLine|contains:
            - '--createShortcut'
            - '--processStartAndWait'
    filter_optional_teams:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\Microsoft\Teams\Update.exe'
            - 'Teams.exe'
        CommandLine|contains:
            - '--processStart'
            - '--createShortcut'
    filter_optional_yammer:
        CommandLine|contains|all:
            - ':\Users\'
            - '\AppData\Local\yammerdesktop\Update.exe'
            - 'Yammer.exe'
        CommandLine|contains:
            - '--processStart'
            - '--createShortcut'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium

title: Publisher Attachment File Dropped In Suspicious Location
id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
status: test
description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
references:
    - https://twitter.com/EmericNasi/status/1623224526220804098
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.stealth
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Local\Temp\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            - 'C:\Temp\'
        TargetFilename|endswith: '.pub'
    condition: selection
falsepositives:
    - Legitimate usage of ".pub" files from those locations
level: medium

title: Pubprn.vbs Proxy Execution
id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da
status: test
description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
references:
    - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
author: frack113
date: 2022-05-28
tags:
    - attack.stealth
    - attack.t1216.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\pubprn.vbs'
            - 'script:'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Python Path Configuration File Creation - Linux
id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce
related:
    - id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows
      type: similar
    - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
      type: similar
status: test
description: |
    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
    Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
    - https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
    - attack.execution
    - attack.t1059.006
    - detection.threat-hunting
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|re: '(?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS
        TargetFilename|endswith: '.pth'
    condition: selection
falsepositives:
    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium

title: Python Path Configuration File Creation - MacOS
id: 4f394635-13ef-4599-b677-3353e0f84f55
related:
    - id: e3652ba3-0ad8-4010-a957-b7ba369e7bac # Windows
      type: similar
    - id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux
      type: similar
status: test
description: |
    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
    Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
    - https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io)
date: 2024-04-25
tags:
    - attack.execution
    - attack.t1059.006
    - detection.threat-hunting
logsource:
    product: macos
    category: file_event
detection:
    selection:
        TargetFilename|re: '(?i)/lib/python3\.([5-9]|[0-9]{2})/site-packages/' # Unix and macOS
        TargetFilename|endswith: '.pth'
    condition: selection
falsepositives:
    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium

title: Python Path Configuration File Creation - Windows
id: e3652ba3-0ad8-4010-a957-b7ba369e7bac
related:
    - id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux
      type: similar
    - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
      type: similar
status: test
description: |
    Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
    Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
    Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
references:
    - https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
    - https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
    - https://docs.python.org/3/library/site.html
author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-25
tags:
    - attack.execution
    - attack.t1059.006
    - detection.threat-hunting
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|re: '(?i)\\(venv|python(.+)?)\\lib\\site-packages\\' # Covers both Virtual envs and default paths
        TargetFilename|endswith: '.pth'
    filter_main_python:
        Image|endswith: '\python.exe'
        TargetFilename|endswith:
            - '\pywin32.pth' # VS Studio Python extension
            - '\distutils-precedence.pth'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Although .pth files are discouraged due to potential security implications, these are legitimate files by specification.
level: medium

title: Python Spawning Pretty TTY Via PTY Module
id: c4042d54-110d-45dd-a0e1-05c47822c937
related:
    - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
      type: similar
status: test
description: |
    Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
references:
    - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
date: 2022-06-03
modified: 2024-11-04
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        - Image|endswith:
              - '/python'
              - '/python2'
              - '/python3'
        - Image|contains:
              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
              - '/python3.'
    selection_cli_import:
        CommandLine|contains:
            - 'import pty'
            - 'from pty '
    selection_cli_spawn:
        CommandLine|contains: 'spawn'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Python WebServer Execution - Linux
id: 3f0f5957-04f8-4792-ad89-192b0303bde6
status: experimental
description: |
    Detects the execution of Python web servers via command line interface (CLI).
    After gaining access to target systems, adversaries may use Python's built-in HTTP server modules to quickly establish a web server without requiring additional software.
    This technique is commonly used in post-exploitation scenarios as it provides a simple method for transferring files between the compromised host and attacker-controlled systems.
references:
    - https://www.atomicredteam.io/atomic-red-team/atomics/T1048.003#atomic-test-8---python3-httpserver
    - https://docs.python.org/3/library/http.server.html
    - https://docs.python.org/2/library/simplehttpserver.html
author: Mohamed LAKRI
date: 2025-10-17
tags:
    - attack.exfiltration
    - attack.t1048.003
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '/python'
              - '/python2'
              - '/python3'
        - Image|contains:
              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
              - '/python3.'
    selection_module:
        CommandLine|contains:
            - 'http.server'
            - 'SimpleHTTPServer'
    condition: all of selection_*
falsepositives:
    - Testing or development activity
level: medium

title: Query Usage To Exfil Data
id: 53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2
status: test
description: Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
references:
    - https://twitter.com/MichalKoczwara/status/1553634816016498688
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-01-19
tags:
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: ':\Windows\System32\query.exe'
        CommandLine|contains:
            - 'session >'
            - 'process >'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: RDP Sensitive Settings Changed to Zero
id: a2863fbc-d5cb-48d5-83fb-d976d4b1743b
related:
    - id: 3f6b7b62-61aa-45db-96bd-9c31b36b653c
      type: similar
    - id: 4b8f6d3a-9c5e-4f2a-a7d8-6b9c3e5f2a8d
      type: similar
status: test
description: |
    Detects tampering of RDP Terminal Service/Server sensitive settings.
    Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
references:
    - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key
    - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique
    - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique
    - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html
    - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
    - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information
    - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information)
author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali
date: 2022-09-29
modified: 2022-11-26
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith:
            - '\fDenyTSConnections' # Specifies whether Remote Desktop connections are enabled - When set to zero RDP is enabled
            - '\fSingleSessionPerUser' # When changed to 0 it allows multiple RDP sessions
            - '\UserAuthentication' # Specifies that Network-Level user authentication is not required before the remote desktop connection is established
        Details: 'DWORD (0x00000000)'
    condition: selection
falsepositives:
    - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)
level: medium

title: REGISTER_APP.VBS Proxy Execution
id: 1c8774a0-44d4-4db0-91f8-e792359c70bd
status: test
description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
references:
    - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\register_app.vbs'
            - '-register'
    condition: selection
falsepositives:
    - Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign
level: medium

title: Rclone Config File Creation
id: 34986307-b7f4-49be-92f3-e7a4d01ac5db
status: test
description: Detects Rclone config files being created
references:
    - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
author: Aaron Greetham (@beardofbinary) - NCC Group
date: 2021-05-26
modified: 2023-05-09
tags:
    - attack.exfiltration
    - attack.t1567.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains|all:
            - ':\Users\'
            - '\.config\rclone\'
    condition: selection
falsepositives:
    - Legitimate Rclone usage
level: medium

title: Recon Command Output Piped To Findstr.EXE
id: ccb5742c-c248-4982-8c5c-5571b9275ad3
related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
status: test
description: |
    Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
    Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist
    - https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
    - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-07-06
modified: 2025-10-08
tags:
    - attack.discovery
    - attack.t1057
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # Note: Add additional CLI to increase and enhance coverage
            # Note: We use wildcards in this instance to avoid writing a lot of variations that can be avoided easily. You can switch to regex if its supported by your backend.
            - 'ipconfig*|*find'
            - 'net*|*find'
            - 'netstat*|*find'
            - 'ping*|*find'
            - 'systeminfo*|*find'
            - 'tasklist*|*find'
            - 'whoami*|*find'
    filter_optional_xampp:
        CommandLine|contains|all:
            - 'cmd.exe /c TASKLIST /V |'
            - 'FIND /I'
            - '\xampp\'
            - '\catalina_start.bat'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output/info.yml

title: Register New IFiltre For Persistence
id: b23818c7-e575-4d13-8012-332075ec0a2b
status: test
description: |
    Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.
    You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
references:
    - https://persistence-info.github.io/Data/ifilters.html
    - https://twitter.com/0gtweet/status/1468548924600459267
    - https://github.com/gtworek/PSBits/tree/master/IFilter
    - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2024-03-26
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection_ext:
        TargetObject|contains|all:
            - '\SOFTWARE\Classes\.'
            - '\PersistentHandler'
    selection_clsid:
        TargetObject|contains|all:
            - '\SOFTWARE\Classes\CLSID'
            - '\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}'
    filter_default_targets:
        TargetObject|contains:
            # TODO: Add the default extension PersistentHandler.
            # Note this could also offer blindspot as the attacker could use on of these and hijack them
            - '\CLSID\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\' # Office Open XML Format PowerPoint Persistent Handler
            - '\CLSID\{4887767F-7ADC-4983-B576-88FB643D6F79}\' # Office Open XML Format Excel Persistent Handler
            - '\CLSID\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\' # Office Open XML Format Word Persistent Handler
            - '\CLSID\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\' # Microsoft OneNote Windows Desktop Search IFilter Persistent handler
            - '\CLSID\{098f2470-bae0-11cd-b579-08002b30bfeb}\' # Null persistent handler
            - '\CLSID\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\' # PDF Persistent Handler
            - '\CLSID\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\' # rtf persistent handler
            - '\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\' # Open Document Format ODT Persistent Handler
            - '\CLSID\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\' # Zip Persistent Handler
            - '\CLSID\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\' # Open Document Format ODS Persistent Handler
            - '\CLSID\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
            - '\CLSID\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\' # Related to MIME Filter
            - '\CLSID\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\' # Setting Content File Persistent Handler
            - '\CLSID\{5e941d80-bf96-11cd-b579-08002b30bfeb}\' # Plain Text persistent handler
            - '\CLSID\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\' # Wordpad OOXML Document Filter
            - '\CLSID\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\' # XML File Persistent Handler
            - '\CLSID\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\' # .url File Persistent Handler
            - '\CLSID\{9694E38A-E081-46ac-99A0-8743C909ACB6}\' # html persistent handler for mapi email
            - '\CLSID\{98de59a0-d175-11cd-a7bd-00006b827d94}\' # Microsoft Office Persistent Handler
            - '\CLSID\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\' # Wordpad ODT Document Filter
            - '\CLSID\{B4132098-7A03-423D-9463-163CB07C151F}\' # Office Open XML Format Excel Persistent Handler
            - '\CLSID\{d044309b-5da6-4633-b085-4ed02522e5a5}\' # App Content File Persistent Handler
            - '\CLSID\{D169C14A-5148-4322-92C8-754FC9D018D8}\' # rtf persistent handler for mapi email
            - '\CLSID\{DD75716E-B42E-4978-BB60-1497B92E30C4}\' # text persistent handler for mapi email
            - '\CLSID\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\' # Open Document Format ODP Persistent Handler
            - '\CLSID\{E772CEB3-E203-4828-ADF1-765713D981B8}\' # Microsoft OneNote Section persistent handler
            - '\CLSID\{eec97550-47a9-11cf-b952-00aa0051fe20}' # HTML File persistent handler
            # - '\CLSID\{F6F00E65-9CAF-43BB-809A-38AA4621BCF2}' # XMind Persistent Handler (not present by default)
            - '\CLSID\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\' # Office Outlook MSG Persistent Handler
    filter_generic_paths:
        Image|startswith:
            # Note: We assume if an attacker has access to one of these directories. Then he already has admin.
            - 'C:\Windows\System32\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Legitimate registration of IFilters by the OS or software
level: medium

title: Registry Explorer Policy Modification
id: 1c3121ed-041b-4d97-a075-07f54f20fb4a
status: test
description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
author: frack113
date: 2022-03-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyDocuments'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu'
        Details: 'DWORD (0x00000001)'
    condition: selection_set_1
falsepositives:
    - Legitimate admin script
level: medium

title: Registry Hide Function from User
id: 5a93eb65-dffa-4543-b761-94aa60098fb6
status: test
description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
author: frack113
date: 2022-03-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_set_1:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume'
        Details: 'DWORD (0x00000001)'
    selection_set_0:
        TargetObject|endswith:
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip'
            - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor'
        Details: 'DWORD (0x00000000)'
    condition: 1 of selection_set_*
falsepositives:
    - Legitimate admin script
level: medium

title: Registry Modification Attempt Via VBScript
id: 921aa10f-2e74-4cca-9498-98f9ca4d6fdf
related:
    - id: 2a0a169d-cc66-43ce-9ae2-6e678e54e46a
      type: similar
    - id: 7f4c43f9-b1a5-4c7d-b24a-b41bf3a3ebf2
      type: similar
status: experimental
description: |
    Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs.
    It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell.
    Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
references:
    - https://www.linkedin.com/posts/mauricefielenbach_livingofftheland-redteam-persistence-activity-7344801774182051843-TE00/
    - https://www.nextron-systems.com/2025/07/29/detecting-the-most-popular-mitre-persistence-method-registry-run-keys-startup-folder/
date: 2025-08-13
author: Swachchhanda Shrawan Poudel (Nextron Systems)
tags:
    - attack.persistence
    - attack.execution
    - attack.defense-impairment
    - attack.t1112
    - attack.t1059.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'CreateObject'
            - 'Wscript.shell'
            - '.RegWrite'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Registry Modification to Hidden File Extension
id: 5df86130-4e95-4a54-90f7-26541b40aec2
status: test
description: Hides the file extension through modification of the registry
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd
    - https://unit42.paloaltonetworks.com/ransomware-families/
    - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: registry_set
    product: windows
detection:
    selection_HideFileExt:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt'
        Details: 'DWORD (0x00000001)'
    selection_Hidden:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
        Details: 'DWORD (0x00000002)'
    condition: 1 of selection_*
falsepositives:
    - Administrative scripts
level: medium

title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
id: 1c2a3268-3881-414a-80af-a5b313b14c0e
status: test
description: |
    Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace.
    The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
    These can be used for example in decrypting malicious payload for defense evasion.
references:
    - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0
    - https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
author: Andreas Braathen (mnemonic.io)
date: 2023-12-01
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1059.001
    - attack.t1027.010
    - attack.t1547.001
    - detection.threat-hunting
logsource:
    product: windows
    category: registry_set
detection:
    selection_key:
        TargetObject|contains: '\Shell\Open\Command'
    selection_value_img:
        Details|contains:
            - 'powershell'
            - 'pwsh'
    selection_value_namespace:
        Details|contains: 'System.Security.Cryptography.'
    selection_value_classes:
        Details|contains:
            - '.AesCryptoServiceProvider'
            - '.DESCryptoServiceProvider'
            - '.DSACryptoServiceProvider'
            - '.RC2CryptoServiceProvider'
            - '.Rijndael'
            - '.RSACryptoServiceProvider'
            - '.TripleDESCryptoServiceProvider'
    condition: all of selection_*
falsepositives:
    - Classes are legitimately used, but less so when e.g. parents with low prevalence or decryption of content in temporary folders.
level: medium

title: RemCom Service File Creation
id: 7eff1a7f-dd45-4c20-877a-f21e342a7611
status: test
description: Detects default RemCom service filename which indicates RemCom service installation and execution
references:
    - https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\RemComSvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
id: aa3168fb-d594-4f93-a92d-7a9ba675b766
status: test
description: |
    Detects the execution of Action1 in order to execute arbitrary code or establish a remote session.

    Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries.
    Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.

    Hunting Opportunity 1- Weed Out The Noise

    When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through  a policy with name "test_app_1":

    ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0"

    After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences.

    Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours

    If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
references:
    - https://twitter.com/Kostastsale/status/1646256901506605063?s=20
    - https://www.action1.com/documentation/
author: '@kostastsale'
date: 2023-04-13
tags:
    - attack.command-and-control
    - attack.t1219.002
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection_app_deployment_exec:
        ParentImage|endswith: '\action1_agent.exe'
        Image|contains: '\Windows\Action1\package_downloads\'
    selection_command_exec:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        ParentCommandLine|contains:
            - '\Action1\scripts\Run_Command_'
            - '\Action1\scripts\Run_PowerShell_'
    selection_remote_session_init:
        Image|endswith: '\agent1_remote.exe'
    condition: 1 of selection_*
falsepositives:
    - If Action1 is among the approved software in your environment, you might find that this is a noisy query. See description for ideas on how to alter this query and start looking for suspicious activities.
level: medium

title: Remote Access Tool - Ammy Admin Agent Execution
id: 7da7809e-f3d5-47a3-9d5d-fc9d019caf14
status: test
description: Detects the execution of the Ammy Admin RMM agent for remote management.
references:
    - https://www.ammyy.com/en/admin_features.html
author: '@kostastsale'
date: 2024-08-05
tags:
    - attack.execution
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: 'AMMYY\aa_nts.dll",run'
    condition: selection
falsepositives:
    - Legitimate use of Ammy Admin RMM agent for remote management by admins.
level: medium

title: Remote Access Tool - AnyDesk Piped Password Via CLI
id: b1377339-fda6-477a-b455-ac0923f9ec2c
status: test
description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
            - '/c '
            - 'echo '
            - '.exe --set-password'
    condition: selection
falsepositives:
    - Legitimate piping of the password to anydesk
    - Some FP could occur with similar tools that uses the same command line '--set-password'
level: medium

title: Remote Access Tool - Cmd.EXE Execution via AnyViewer
id: bc533330-fc29-44c0-b245-7dc6e5939c87
status: test
description: |
    Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
references:
    - https://www.anyviewer.com/help/remote-technical-support.html
author: '@kostastsale'
date: 2024-08-03
tags:
    - attack.execution
    - attack.persistence
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\AVCore.exe'
        ParentCommandLine|contains: 'AVCore.exe" -d'
        Image|endswith: '\cmd.exe'
    condition: selection
falsepositives:
    - Legitimate use for admin activity.
level: medium

title: Remote Access Tool - MeshAgent Command Execution via MeshCentral
id: 74a2b202-73e0-4693-9a3a-9d36146d0775
status: test
description: |
    Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
    MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
references:
    - https://github.com/Ylianst/MeshAgent
    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173
    - https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
author: '@Kostastsale'
date: 2024-09-22
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\meshagent.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - False positives can be found in environments using MeshAgent for remote management, analysis should prioritize the grandparent process, MeshAgent.exe, and scrutinize the resulting child processes triggered by any suspicious interactive commands directed at the target host.
level: medium

title: Remote Access Tool - Potential MeshAgent Execution - MacOS
id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
related:
    - id: 2fbbe9ff-0afc-470b-bdc0-592198339968
      type: similar
status: experimental
description: |
    Detects potential execution of MeshAgent which is a tool used for remote access.
    Historical data shows that threat actors rename MeshAgent binary to evade detection.
    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection
falsepositives:
    - Environments that legitimately use MeshAgent
level: medium

title: Remote Access Tool - Potential MeshAgent Execution - Windows
id: 2fbbe9ff-0afc-470b-bdc0-592198339968
related:
    - id: 22c45af6-f590-4d44-bab3-b5b2d2a2b6d9
      type: similar
status: experimental
description: |
    Detects potential execution of MeshAgent which is a tool used for remote access.
    Historical data shows that threat actors rename MeshAgent binary to evade detection.
    Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
references:
    - https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access
    - https://thecyberexpress.com/ukraine-hit-by-meshagent-malware-campaign/
    - https://wazuh.com/blog/how-to-detect-meshagent-with-wazuh/
    - https://www.security.com/threat-intelligence/medusa-ransomware-attacks
author: Norbert Jaśniewicz (AlphaSOC)
date: 2025-05-19
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '--meshServiceName'
    condition: selection
falsepositives:
    - Environments that legitimately use MeshAgent
level: medium

title: Remote Access Tool - RURAT Execution From Unusual Location
id: e01fa958-6893-41d4-ae03-182477c5e77d
status: test
description: Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-03-05
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\rutserv.exe'
              - '\rfusclient.exe'
        - Product: 'Remote Utilities'
    filter:
        Image|startswith:
            - 'C:\Program Files\Remote Utilities'
            - 'C:\Program Files (x86)\Remote Utilities'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool - ScreenConnect Installation Execution
id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
status: test
description: Detects ScreenConnect program starts that establish a remote access to a system.
references:
    - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2024-02-26
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'e=Access&'
            - 'y=Guest&'
            - '&p='
            - '&c='
            - '&k='
    condition: selection
falsepositives:
    - Legitimate use by administrative staff
level: medium

title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
related:
    - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
      type: derived
status: test
description: |
    Detects potentially suspicious child processes launched via the ScreenConnect client service.
references:
    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
    - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
    - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2022-02-25
modified: 2024-02-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentCommandLine|contains|all:
            - ':\Windows\TEMP\ScreenConnect\'
            - 'run.cmd'
        Image|endswith:
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\curl.exe'
            - '\dllhost.exe'
            - '\net.exe'
            - '\nltest.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\rundll32.exe'
            - '\wevtutil.exe'
    condition: selection
falsepositives:
    - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
level: medium

title: Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: derived
    - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
      type: derived
status: test
description: |
    Detects remote binary or command execution via the ScreenConnect Service.
    Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
modified: 2024-02-26
tags:
    - attack.execution
    - detection.threat-hunting
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.ClientService.exe'
    condition: selection
falsepositives:
    - Legitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies.
level: medium

title: Remote Access Tool - Simple Help Execution
id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - '\JWrapper-Remote Access\'
            - '\JWrapper-Remote Support\'
        Image|endswith: '\SimpleService.exe'
    condition: selection
falsepositives:
    - Legitimate usage of the tool
level: medium

title: Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server
id: 2db93a3f-3249-4f73-9e68-0e77a0f8ae7e
status: experimental
description: |
    Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line.
    These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID.
    This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
references:
    - https://github.com/amidaware/tacticalrmm
    - https://apophis133.medium.com/powershell-script-tactical-rmm-installation-45afb639eff3
author: Ahmed Nosir (@egycondor)
date: 2025-05-29
tags:
    - attack.command-and-control
    - attack.t1219
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: '\TacticalAgent\tacticalrmm.exe'
        CommandLine|contains|all:
            - '--api'
            - '--auth'
            - '--client-id'
            - '--site-id'
            - '--agent-type'
    condition: selection
falsepositives:
    - Legitimate system administrator deploying TacticalRMM
level: medium

title: Remote DLL Load Via Rundll32.EXE
id: f40017b3-cb2e-4335-ab5d-3babf679c1de
status: test
description: Detects a remote DLL load event via "rundll32.exe".
references:
    - https://github.com/gabe-k/themebleed
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-18
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|startswith: '\\\\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote File Download Via Desktopimgdownldr Utility
id: 214641c2-c579-4ecb-8427-0cf19df6842e
status: test
description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
references:
    - https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\desktopimgdownldr.exe'
        ParentImage|endswith: '\desktopimgdownldr.exe'
        CommandLine|contains: '/lockscreenurl:http'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
status: test
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
references:
    - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1059.001
    - attack.t1021.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\wsmprovhost.exe'
        - ParentImage|endswith: '\wsmprovhost.exe'
    condition: selection
falsepositives:
    - Legitimate usage of remote Powershell, e.g. for monitoring purposes.
level: medium

title: Removal Of Index Value to Hide Schedule Task - Registry
id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
related:
    - id: acd74772-5f88-45c7-956b-6a7b36c294d2
      type: similar
    - id: 5b16df71-8615-4f7f-ac9b-6c43c0509e61
      type: similar
status: test
description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
references:
    - https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-26
modified: 2025-10-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
            - 'Index'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_index_value_removal/info.yml

title: Removal Of SD Value to Hide Schedule Task - Registry
id: acd74772-5f88-45c7-956b-6a7b36c294d2
related:
    - id: 526cc8bc-1cdc-48ad-8b26-f19bff969cec
      type: similar
status: test
description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
references:
    - https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
author: Sittikorn S
date: 2022-04-15
modified: 2025-10-25
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
            - 'SD'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal/info.yml

title: Removal of Potential COM Hijacking Registry Keys
id: 96f697b0-b499-4e5d-9908-a67bec11cdb6
status: test
description: |
    Detects any deletion of entries in ".*\shell\open\command" registry keys.
    These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/7
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md
    - https://learn.microsoft.com/en-us/windows/win32/shell/launch
    - https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand
    - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_delete
detection:
    selection:
        TargetObject|endswith: '\shell\open\command'
    filter_main_explorer:
        Image|endswith: 'C:\Windows\explorer.exe'
    filter_main_svchost:
        Image: 'C:\Windows\system32\svchost.exe'
    filter_main_msiexec:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_main_generic_prorams:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    filter_main_openwith:
        Image: 'C:\Windows\System32\OpenWith.exe'
    filter_optional_dropbox:
        Image|endswith: '\Dropbox.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\Dropbox.'
    filter_optional_wireshark:
        Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\wireshark-capture-file\'
    filter_optional_peazip:
        Image|contains: 'peazip'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\PeaZip.'
    filter_optional_everything:
        Image|endswith: '\Everything.exe'
        # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT)
        TargetObject|contains: '\Everything.'
    filter_optional_uninstallers:
        # This image path is linked with different uninstallers when running as admin unfortunately
        Image|startswith: 'C:\Windows\Installer\MSI'
    filter_optional_java:
        Image|startswith: 'C:\Program Files (x86)\Java\'
        Image|endswith: '\installer.exe'
        TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}'
    filter_optional_edgeupdate:
        Image|contains: '\Microsoft\EdgeUpdate\Install'
    filter_optional_avira:
        Image:
            - 'C:\Program Files (x86)\Avira\Antivirus\'
            - 'C:\Program Files\Avira\Antivirus\'
        TargetObject|endswith:
            - '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command'
            - '\AntiVir.Keyfile\shell\open\command'
    filter_optional_installer_temp:
        - Image|contains|all:
              - 'AppData\Local\Temp'
              - '\setup.exe'
        - Image|contains|all:
              - '\Temp\is-'
              - '\target.tmp'
    filter_optional_ninite:
        Image|endswith: '\ninite.exe'
    filter_optional_discord:
        Image|endswith: '\reg.exe'
        TargetObject|endswith: '\Discord\shell\open\command'
    filter_optional_spotify:
        Image|endswith: '\Spotify.exe'
        TargetObject|endswith: '\Spotify\shell\open\command'
    filter_optional_eclipse:
        Image|endswith: 'C:\eclipse\eclipse.exe'
        TargetObject|contains: '_Classes\eclipse+'
    filter_optional_teamviewer:
        Image|contains|all:
            - '\Temp'
            - '\TeamViewer'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered
level: medium

title: Remove Immutable File Attribute
id: 34979410-e4b5-4e5d-8cfb-389fdff05c12
related:
    - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7
      type: derived
status: test
description: Detects usage of the 'chattr' utility to remove immutable file attribute.
references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.defense-impairment
    - attack.t1222.002
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/chattr'
        CommandLine|contains: ' -i '
    condition: selection
falsepositives:
    - Administrator interacting with immutable files (e.g. for instance backups).
level: medium

title: Remove Scheduled Cron Task/Job
id: c2e234de-03a3-41e1-b39a-1e56dc17ba67
status: test
description: |
    Detects usage of the 'crontab' utility to remove the current crontab.
    This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
references:
    - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: 'crontab'
        CommandLine|contains: ' -r'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Renamed Remote Utilities RAT (RURAT) Execution
id: 9ef27c24-4903-4192-881a-3adde7ff92a5
status: test
description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-19
modified: 2023-02-03
tags:
    - attack.collection
    - attack.command-and-control
    - attack.discovery
    - attack.stealth
    - attack.s0592
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Product: 'Remote Utilities'
    filter:
        Image|endswith:
            - '\rutserv.exe'
            - '\rfusclient.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Replace.exe Usage
id: 9292293b-8496-4715-9db6-37028dcda4b3
status: test
description: Detects the use of Replace.exe which can be used to replace file with another file
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Replace/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace
author: frack113
date: 2022-03-06
modified: 2024-03-13
tags:
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\replace.exe'
    argument:
        CommandLine|contains|windash: '-a'
    condition: selection and argument
falsepositives:
    - Unknown
level: medium

title: Root Account Enable Via Dsenableroot
id: 821bcf4d-46c7-4b87-bc57-9509d3ba7c11
status: test
description: Detects attempts to enable the root account via "dsenableroot"
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md
    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml
    - https://ss64.com/osx/dsenableroot.html
author: Sohan G (D4rkCiph3r)
date: 2023-08-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1078
    - attack.t1078.001
    - attack.t1078.003
    - attack.initial-access
    - attack.persistence
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/dsenableroot'
    filter_main_disable:
        CommandLine|contains: ' -d '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Run Once Task Configuration in Registry
id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff
status: test
description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
references:
    - https://twitter.com/pabraeken/status/990717080805789697
    - https://lolbas-project.github.io/lolbas/Binaries/Runonce/
author: 'Avneet Singh @v3t0_, oscd.community'
date: 2020-11-15
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains: '\Microsoft\Active Setup\Installed Components'
        TargetObject|endswith: '\StubPath'
    filter_optional_chrome:
        Details|contains|all:
            - 'C:\Program Files\Google\Chrome\Application\'
            - '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end
    filter_optional_edge:
        Details|contains:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\'
            - 'C:\Program Files\Microsoft\Edge\Application\'
        Details|endswith: '\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate modification of the registry key by legitimate program
level: medium

title: SCR File Write Event
id: c048f047-7e2a-4888-b302-55f509d4a91d
status: test
description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
references:
    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io'
date: 2022-04-27
modified: 2023-08-23
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '.scr'
    filter:
        TargetFilename|contains:
            - ':\$WINDOWS.~BT\NewOS\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
            - ':\WUDownloadCache\' # Windows Update Download Cache
    condition: selection and not filter
falsepositives:
    - The installation of new screen savers by third party software
level: medium

title: Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
id: 81325ce1-be01-4250-944f-b4789644556f
related:
    - id: 43f487f0-755f-4c2a-bce7-d6d2eec2fcf8 # TODO: Recreate after baseline
      type: derived
status: test
description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
references:
    - https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
    - https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
    - https://blog.talosintelligence.com/gophish-powerrat-dcrat/
author: Florian Roth (Nextron Systems)
date: 2022-02-21
modified: 2025-10-07
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_1_create:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|windash: ' /create '
    selection_1_all_folders:
        CommandLine|contains:
            - ':\Perflogs'
            - ':\Users\All Users\'
            - ':\Users\Default\'
            - ':\Users\Public'
            - ':\Windows\Temp'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '%AppData%'
            - '%Public%'
    selection_2_parent:
        ParentCommandLine|endswith: '\svchost.exe -k netsvcs -p -s Schedule'
    selection_2_some_folders:
        CommandLine|contains:
            - ':\Perflogs'
            - ':\Windows\Temp'
            - '\Users\Public'
            - '%Public%'
    filter_optional_other:
        - ParentCommandLine|contains: 'unattended.ini'
        - CommandLine|contains: 'update_task.xml'
    filter_optional_team_viewer:
        CommandLine|contains: '/Create /TN TVInstallRestore /TR'
    filter_optional_avira_install:
        # Comment out this filter if you dont use AVIRA
        CommandLine|contains|all:
            - '/Create /Xml '
            - '\Temp\.CR.'
            - '\Avira_Security_Installation.xml'
    filter_optional_avira_other:
        # Comment out this filter if you dont use AVIRA
        CommandLine|contains|all:
            - '/Create /F /TN'
            - '/Xml '
            - '\Temp\'
            - 'Avira_'
        CommandLine|contains:
            - '.tmp\UpdateFallbackTask.xml'
            - '.tmp\WatchdogServiceControlManagerTimeout.xml'
            - '.tmp\SystrayAutostart.xml'
            - '.tmp\MaintenanceTask.xml'
    filter_optional_klite_codec:
        CommandLine|contains|all:
            - '\Temp\'
            - '/Create /TN "klcp_update" /XML '
            - '\klcp_update_task.xml'
    condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_*
falsepositives:
    - Benign scheduled tasks creations or executions that happen often during software installations
    - Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders
level: medium